Mixed Messages on Privacy and Security at MWC

Vittorio Colao, Vodafone Group CEO, dedicated his speech at Mobile World Congress to the five things that matter most to customers… or did he? Here is the list he came up with:

  1. Quality… in terms of speed, coverage, and content… and they really enjoy digital media.
  2. Good value… like affordable roaming.
  3. Privacy and security.
  4. Competition and choice.
  5. Digital Europe, India, Africa… because it is good for research, employment, the environment…

Is that a list of five things, or is it seven? Or ten? Or more?

Colao was supposedly sharing insights from Vodafone’s own consumer research, but unwittingly proved a quite different point: data is useless without a framework for interpreting it. With that in mind, let me present you with an alternative list of what people care about.

  1. Security.
  2. Everything else.

You will have noticed how my list pays less attention to other customer expectations like good network coverage and low prices. I do not deny that customers care about quality and price. However, context is everything. Let me explain the data I used to compile my list. I have observed that living human beings almost always prefer life to death. There seems to be a lot of data to support this conclusion. Sometimes there are exceptions, but generally it is safe to assume that people want to stay alive. So when faced with the imminent prospect of death, we can also assume that nobody is going to place a higher priority on finding a cheaper tariff, or downloading a viral YouTube video, to any and every measure which might extend their life. At other times, people may have different priorities. In fact, a few people will die each year because they are sending SMS messages or watching YouTube videos when they should be concentrating on driving their car. Hopefully you understand my point when I say you cannot just list security alongside other customer requirements, and then treat them all the same. Our priorities vary depending on our mood and circumstances, but some priorities always top others, irrespective of the thoughts that go through a customer’s mind, when asked to give their opinion.

It was widely reported that Colao said security and privacy were amongst the top customer requirements per Vodafone’s most recent customer study, with the emphasis placed on the fact that customers can and should enjoy both. The context is that our societies are supposedly engaged in a serious debate about balancing the needs of security with the needs of privacy. However, that is nonsense. Societies as a whole do not engage in debates like that. Only a few rarified individuals – government ministers and other politicians, captains of industry, opinion-makers in the press – actually engage in such debates. Colao is the CEO of a very large business, so I cannot blame him for using a platform like Mobile World Congress to score the kinds of points that he needs to make. It is his job to influence governments and do anything else which might improve returns for his shareholders. But whilst it seems very fashionable and clever to debate the relationship between security and privacy, Colao’s observation is stupefyingly simple. As a consequence, it does not deserve congratulation. Simultaneously championing security and privacy should be obvious, not controversial.

In operational terms, the twin goals of security and privacy are complementary for businesses like Vodafone. The more secure you make data, the less likely that privacy will be violated. If you make encryption stronger, that benefits both privacy and security, and reduces the reliance on alternative security measures. And when vetting employees, the kind of person who might undermine security is also the kind of person who might undermine privacy, so it would be absurd to design a vetting program that tries to tackle one of these risks but not the other. In fact, we should remember this when hearing about government spying programs. Are we expected to naively believe that if a government intelligence agency can persuade a telco employee to help them spy on customers, that this same employee could not possibly have been seduced into working for a hostile government, or a corporate rival?

Colao made a reasonable point about the need for better laws and rules surrounding privacy and security. He is right to ask the European regulator to hurry the delivery of a consistent data privacy and security framework. But this is also an easy and cheap observation for him to make. There must be a million things that Vodafone could do, today, to improve security and privacy for their customers. That is not a specific criticism of Vodafone; in the field of security and privacy, every big company could make a million improvements. More can always be done because these fields are complicated, and naughty people are always trying to discover previously unnoticed weak points. Inevitably a line must be drawn because of increasing costs and diminishing returns, irrespective of the temptation to issue platitudes about doing everything possible. Improvements can always be made, and companies should not need governments and regulators to tell them how and where to improve. So I would prefer that CEOs like Colao spend more time saying what their companies have done to improve security and privacy, and less time stating opinions on what laws and rules should be imposed by governments and regulators.

If Colao encouraged privacy campaigners to feel more affection for the telecoms industry, this was reversed by the stupidity of Deutsche Telekom CEO Timotheus Hottges. Hottges said:

Eighty percent of consumers tell us they’re concerned by data privacy, but at the same time, they’re clicking ‘I accept, I accept’ all the time to download apps. How many of you have simplified passwords like 123456?… We’re concerned, but we don’t protect ourselves.

Writing as a qualified accountant, I fully appreciate why both parties should have a full understanding of any formal agreement they make. But writing as somebody who has reluctantly accepted the conditions imposed when downloading apps, I would kick Hottges up the backside if he said this to me in person. Too many big businesses take a legalistic attitude to security and privacy, to the detriment of ordinary people. I am an unusually pedantic and fastidious person, but I cannot afford to match the time that corporate lawyers spend when pouring over the endless fine print they throw at me, every time I want to engage in a simple transaction. The clicking of all those ‘accept’ buttons occurs because the framework for the interaction between customer and supplier has been devised by lawyers and legislators. And how do telco bosses respond to the absurdity of this situation? They complain about a need for more regulations, or a change to the rules, or a clarification of the law, and so forth. That is fine for them, because they are prioritizing corporate interests over customer interests – and because they employ plenty of expensive lawyers. That is why they write such long contracts, where almost all of those clauses are written to protect the provider, not to protect the customer.

It is cheap and easy for a business to abrogate its security responsibility, typically by telling the customer they must provide another password… and another password… and another password… no, not that password… and now you must change your password… they’re migrating to a new system so it’ll only take a few minutes to set up your new account with another new password… and if you’ve lost your password then you’d better submit some other passwords to help them decide if they can let you have yet another password…

There are dozens of better ways to verify customer identity than by implementing more and more passwords. But those methods cost more money than passwords do, so companies prefer to force their customers into using passwords. When they make that decision, they back it by writing lengthy contract clauses that stipulate if anything goes wrong, it must be the customer’s fault. Ironically, securely verifying identity can be a source of income for telcos, because mobile phones are a useful way to identify and communicate with us, wherever we are. That is why Visa will validated credit card transactions by checking the location of mobile phones. On the other hand networks like EE, which was partly owned by DT, require its customers to press lots of ‘accept’ buttons to install the app which provides an intelligent alternative to paper bills. And when you do, that app will not recognize your old T-Mobile logon details, even though EE was created by a merger between T-Mobile and Orange. So the customer then has to spend time creating yet another password. Did I mention I want to kick Hottges up the arse because I was one of his customers?

Security and privacy are the top requirements of customers, even if they respond otherwise when surveyed. I say this with confidence because we all know they would instantly rise to the top of any customer’s list at the moment when the customer realizes they have been compromised. Sadly, they are not top priorities for CEOs, who treat them as costs. That is why Hottges would rather blame customers and law-makers for the ‘absurdity’ of modern data protection, instead of talking about how his company could do more to make our lives easier, whilst also improving security and privacy.

I cannot be too damning of CEOs, who must please their shareholders, some of whom have very short-term goals. But other investors take long-term positions, and the long-term danger to telecoms is that trust in their services can be so eroded by security breaches and privacy violations that it will cause permanent damage to the value of telcos. The CEO’s worst nightmare is that damage is caused not by failures in their own company, but by the knock-on reputation effect when rivals fall below expected standards, or when governments are caught snooping without the public’s support. That is why CEOs are right to ask that security and privacy is supported by a good consistent legal framework which is widely and well enforced. But CEOs could do more to lead the way. And they would foster more goodwill if they talked more about security and privacy improvements in the times between major breaches and scandals, instead of waiting for bad things to happen, and then making lots of assurances, promises, and apologies, whilst underpinning them with a legalistic stance on who is to blame per the contract.

CEOs use phones too. I am sure they care deeply about their own security, and their own privacy. I am also sure they get frustrated with the time spent reading contracts, or clicking buttons to accept conditions, or entering and updating passwords – assuming they do it for themselves, and do not rely on some other trusted individual to do it for them. If CEOs want to speak to phone users about the issues that cause most concern, perhaps they should speak more like fellow phone users, and less like CEOs. Colao made it halfway there. Hottges fell well short. Even when talking about security and privacy, we can all do better.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.